313189-F 00

Part No.
313189-F Rev 00
May 2006
4655 Great America Parkway

Santa Clara, CA 95054
Getting Started
Ethernet Routing Switch 8600 Software
Release 4.1
2
Copyright © 2006 Nortel Networks. All Rights Reserved

The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.
UNIX is a trademark of X/Open Company Limited.
The asterisk after a name denotes a trademarked item.
Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel reserves the right to make
changes to the products described in this document without notice.
Nortel does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s)
described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials,
and other materials related to such distribution and use acknowledge that such portions of the software were developed
by the University of California, Berkeley. The name of the University may not be used to endorse or promote products
derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
313189-F Rev 00
3
Nortel software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Corporation and its subsidiaries and affiliates (“Nortel”). PLEASE READ THE FOLLOWING CAREFULLY. YOU
MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE
OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not
accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of
purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and
licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such
as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel grants
you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than
those granted to you under this License Agreement. You are responsible for the selection of the Software and for the
installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel grants Customer a nonexclusive license to use a copy of the Software on only
one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the
extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is
granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade
secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer
uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that
anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use,
copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile,
reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly
authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel are beneficiaries of
this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no
longer in use, Customer will promptly return the Software to Nortel or certify its destruction. Nortel may audit by remote
polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party
software included in Software require Nortel to include additional or different terms, Customer agrees to abide by such
terms provided by Nortel with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel and Customer, Software is
provided “AS IS” without any warranties (conditions) of any kind. Nortel DISCLAIMS ALL WARRANTIES
(CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
ANY WARRANTY OF NON-INFRINGEMENT. Nortel is not obligated to provide support of any kind for the
Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may
not apply.
3. Limitation of Remedies. IN NO EVENT SHALL Nortel OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR
ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE
TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL,
PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN
CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE
SOFTWARE, EVEN IF Nortel, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY.
The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or
supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in
such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Software
available under this License Agreement is commercial computer software and commercial computer software
documentation and, in the event Software is licensed for or on behalf of the United States Government, the
respective rights to the software and software documentation are governed by Nortel standard commercial
Getting Started
4
license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and
48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply
with the terms and conditions of this license. In either event, upon termination, Customer must either return
the Software to Nortel or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
313189-F Rev 00
5
Contents
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . . . . . 14
Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . . . . 14
Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Printed technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 1
Using Ethernet Routing Switch documentation . . . . . . . . . . . . . . . . . . . . . 23
Reliability/Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Serviceability/Manageability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Accessing Ethernet Routing Switch documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using Ethernet Routing Switch documents during installation . . . . . . . . . . . . . . . . . . . 26
Preparing for initial configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Installing the Ethernet Routing Switch software and hardware . . . . . . . . . . . . . . . 26
Configuring the firewall iSDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Installing CheckPoint Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chapter 2
Setting up the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Connecting a terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Getting Started
6 Contents
Connecting a modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Password encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Resetting and modifying passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Boot monitor CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Run time CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Logging on to the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
hsecure bootconfig flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Modifying the CLI login and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Enabling or disabling CLI access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configuring the switch with the Setup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Running the Setup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuration example: setup utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Rebooting or resetting the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Cold boot/warm boot trap messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Setting system identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Managing files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Displaying a directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Copying files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Saving the configuration to a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Pinging a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Setting and displaying the date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Accessing the standby CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Exiting and re-entering the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Chapter 3
Setting up the switch for remote management . . . . . . . . . . . . . . . . . . . . . . 61
Assigning an IP address to the management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Assigning static routes to the management interface . . . . . . . . . . . . . . . . . . . . . . 63
Setting security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Enabling remote access services using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring access service from the Run-Time CLI . . . . . . . . . . . . . . . . . . . . . . . 66
Enabling Rlogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Configuration Example: configuring an access policy . . . . . . . . . . . . . . . . . . . 66
313189-F Rev 00
Contents 7
Disabling a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Monitoring the switch using Web management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Managing the switch using Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 4
Providing switch reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Providing switch reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Getting Started
8 Contents
313189-F Rev 00
9
Figures
Figure 1 setup utility command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 2 setup utility command sample output continued . . . . . . . . . . . . . . . . . . . . 44
Figure 3 setup utility command sample output concluded . . . . . . . . . . . . . . . . . . . 45
Figure 4 help clear command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 5 help command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 6 clear syntax command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 7 ping command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 8 config setdate command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 9 date command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 10 config sys access-policy command sample output . . . . . . . . . . . . . . . . . . 66
Getting Started
10 Figures
313189-F Rev 00
11
Tables
Table 1 Documents for preparing your Ethernet Routing Switch . . . . . . . . . . . . . . 25

Table 2 DTE-to-DCE straight-through pin assignments . . . . . . . . . . . . . . . . . . . . 32
Table 3 Access levels and default login values . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 4 New default setting passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Table 5 New default community strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 6 Setup utility prompt descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 7 File system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Getting Started
12 Tables
313189-F Rev 00
13
How to get help
This chapter explains how to get help for Nortel products and services.
Finding the latest updates on the Nortel Web site

The content of this documentation was current at the time the product was
released. To check for updates to the latest documentation and software for
Ethernet Routing Switch, click one of the following links:
Link to Takes you directly to the
Latest software Nortel page for the Ethernet Routing Switch

8600 software located at:
www130.nortelnetworks.com/cgi-bin/eserv/cs/
main.jsp?cscat=SOFTWARE&resetFilter=1&tran
Product=9015
Latest documentation Nortel page for the Ethernet Routing Switch
8600 documentation located at:
www130.nortelnetworks.com/cgi-bin/eserv/cs/
main.jsp?cscat=DOCUMENTATION&resetFilter=
1&tranProduct=9015
Getting help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel
Technical Support Web site:
www.nortel.com/support
Getting Started
14 How to get help
This site provides quick access to software, documentation, bulletins, and tools to
address issues with Nortel products. From this site you can:
• download software, documentation, and product bulletins

• search the Technical Support Web site and the Nortel Knowledge Base for
answers to technical issues
• sign up for automatic notification of new software and documentation for
Nortel equipment
• open and manage technical support cases
Getting help over the phone from a Nortel Solutions

Center
If you do not find the information you require on the Nortel Technical Support
Web site, and you have a Nortel support contract, you can also get help over the
phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following Web site to obtain the phone number
for your region:
www.nortel.com/callus
Getting help from a specialist by using an Express

Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express
Routing Code (ERC) to quickly route your call to a specialist in your Nortel
product or service. To locate the ERC for your product or service, go to:
www.nortel.com/erc
313189-F Rev 00
How to get help 15
Getting help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller.
Getting Started
16 How to get help
313189-F Rev 00
17
Preface
This guide provides procedures for setting up and starting the Ethernet Routing
Switch.
Nortel’s Ethernet Routing Switch 8600 modules deliver a reliable, secure and
intelligent network routing solution for converged applications. Hardware-based
wire speed performance combined with Quality of Service (QoS) mechanisms
enable fast and efficient traffic classification, policy enforcement and filtering.
This combination benefits time-sensitive applications such as video and voice
with better application response times and fewer dropped calls. The Ethernet
Routing Switch 8600 modules deliver a unique solution by combining
performance, intelligence and five nines reliability in one solution.
Before you begin

This book is for network designers and administrators with the following
background:
• basic knowledge of networks, Ethernet bridging, and IP and IPX routing

• familiarity with networking concepts and terminology
• basic knowledge of network topologies
• experience with Windows systems or graphical user interfaces (GUIs)
Getting Started
18 Preface
Text conventions
This guide uses the following text conventions:
angle brackets (< >) Indicate that you choose the text to enter based on the
description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold Courier text Indicates command names and options and text that
you need to enter.
Example: Use the dinfo command.
Example: Enter show ip {alerts|routes}.
braces ({}) Indicate required elements in syntax descriptions where
more than one option available. You must choose only
one of the options. Do not type the braces when
entering the command.
show ip {alerts|routes}, you must enter either
show ip alerts or show ip routes, but not both.
brackets ([ ]) Indicate optional elements in syntax descriptions. Do
not type the brackets when entering the command.
show ip interfaces [-alerts], you can enter
either show ip interfaces or
show ip interfaces -alerts.
ellipsis points (. . . ) Indicate that you repeat the last element of the
command as needed.
ethernet/2/1 [<parameter> <value>]... ,
you enter ethernet/2/1 and as many
parameter-value pairs as needed.
313189-F Rev 00
Preface 19
italic text Indicates new terms, book titles, and variables in

command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
show at <valid_route>, valid_route is one
variable and you substitute one value for it.
plain Courier Indicates command syntax and system output, for
text example, prompts and system messages.
Example: Set Trap Monitor Filters
separator ( > ) Shows menu paths.
Example: Protocols > IP identifies the IP command on
the Protocols menu.
vertical line ( | ) Separates choices for command keywords and
arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
show ip {alerts|routes}, you enter either
show ip alerts or show ip routes, but not
both.
Getting Started
20 Preface
Acronyms
This guide uses the following acronyms:
AES Advanced Encryption Standard

BGP Border Gateway Protocol
BootP Bootstrap Protocol
CTS Clear To Send
DCE data communication equipment
DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol
DNS domain name server
DSR Data Set Ready
DTE data terminal equipment
DVMRP Distance Vector Multicast Routing protocol
EAPoL Extensible Authentication Protocol Over Local Area
Network
ECMP Equal Cost Multiple Paths
FTP File Transfer Protocol
GUI graphical user interface
HA high availability
hsecure High Secure
ICMP Internet Control Message Protocol
I/O Input/Output
IP Internet Protocol
iSD integrated Service Director
LAN Local Area Network
MAC media access control
MIB management information base
MLT MultiLink Trunking
313189-F Rev 00
Preface 21
OSPF Open Shortest Path First

PIM-SM Protocol Independent Multicasting-Sparse Mode
PIM-SSM Protocol Independent Multicasting-Source Specific
Multicast
PGM Pragmatic General Multicast Protocol
PPP Point-to-Point Protocol
RIP Routing Information Protocol
Rlogin remote login
RSMLT Routed Split MultiLink Trunking
SCP Secure Copy
SDM Service Delivery Module
SLIP serial line Internet Protocol
SMLT Split MultiLink Trunking
SNMP Simple Network Management Protocol
SSH Secure Shell
SSF single strand fiber
TCP/IP Transmission Control Protocol/Internet Protocol
TFTP Trivial File Transfer Protocol
UDP User Datagram Protocol
VLACP Virtual Link Aggregation Control Protocol
VLAN Virtual Local Area Network
VRRP Virtual Router Redundancy Protocol
WAN Wide Area Network
Getting Started
22 Preface
Printed technical manuals

You can print selected technical manuals and release notes for free directly from
the Internet. Go to the www.nortel.com/documentation URL. Find the product for
which you need documentation. Then locate the specific category and model or
version for your hardware or software product. Use Adobe* Acrobat Reader* to
open the manuals and release notes, search for the sections you need, and print
them on most standard printers. Go to Adobe Systems at the www.adobe.com
URL to download a free copy of the Adobe Acrobat Reader.
313189-F Rev 00
23
Chapter 1
Using Ethernet Routing Switch documentation
Ethernet Routing Switch 8600 Software Release 4.1 offers the following features:
Reliability/Resiliency
• Sub 100 ms convergence
• Layer 3 High Availability (HA) Phase 2
• Resilient Switch Clustering - L3 support
• Resilient Switch Clustering - Multicast support
• Multicast (Mcast) over Protocol Independent Multicast-Sparse Mode
(PIM-SM)
• Simple Loop Prevention Protocol (SLPP)
• 802.1w/802.1s—Rapid Spanning Tree Protocol (RSTP- 802.1w) and Multiple
Spanning Tree Protocol (MSTP)/Multiple Spanning Tree Group (802.1s)
• 802.3ad/Split MultiLink Trunking (SMLT) interop/VLACP
• MultiLink Trunking (MLT) scaling
• Per VLAN Spanning Tree (PVST+) (Cisco Compatibility)
IP Services
• Internet Protocol version 6 (IPv6)
Security
• Service Delivery Module Firewall (SDM-FW)
• Service Delivery Module Threat Protection System (SDM-TPS)
• Reverse Path Checking
• 802.1X Extensible Authentication Protocol (EAP)
• Extended Authentication Protocol (802.1x) with User Based Policy support
(EPM)
Getting Started
24 Chapter 1 Using Ethernet Routing Switch documentation
• CLI Logging
• Advanced Encryption Standard (AES) support for SNMPv3
Serviceability/Manageability
• Internet Protocol Flow Information eXport (IPFIX)
• Lite Domain Name Service (DNS) Client
• Ping Trace Routes and Management Information Base (MIB)
• Remote Mirroring
The 8660 SDM provides firewall security capabilities through an Ethernet

Routing Switch 8600 I/O module. Software Release 4.1 supports the Ethernet
Routing Switch 8600, and Software Release 3.7.6 or later supports the 8660 SDM
in an Ethernet Routing Switch 8600 Series.
This chapter describes the documents that you use to install and configure the
Ethernet Routing Switch 8600 and firewall modules. A description of the
installation process is provided, listing which documents to reference during the
installation and configuration of your Ethernet Routing Switch 8600 system. This
section includes the following topics:
• “Accessing Ethernet Routing Switch documents” on page 25

• “Using Ethernet Routing Switch documents during installation” on page 26
313189-F Rev 00
Chapter 1 Using Ethernet Routing Switch documentation 25
Accessing Ethernet Routing Switch documents

All Ethernet Routing Switch documents are available for download from the
Nortel Web site (www.nortel.com/support). Table 1 lists documents related to the
Ethernet Routing Switch SDM 8660 module.
Table 1 Documents for preparing your Ethernet Routing Switch
Document Title Description Part Number
Getting Started Overview of setup requirements 313189-F

for the 8600 switch, and
guidelines to install and configure
an SDM 8660 module.
Release Notes for the Ethernet Release Notes cover new 317177-D
Routing Switch 8600 Release 4.1 features, fixes, and limitations for
the Ethernet Routing Switch 8600
release.
Important Notice about the Ethernet A list of supported modules and 316340-E
Routing Switch 8600 Series Switch minimum software version
Modules requirements.
Upgrading toEthernet Routing Switch Instructions for upgrading to 316674-C

8600 Software Release 4.1 release 4.1 software on an 8600
system.
Firewall and Intrusion Sensor User’s Configuration details for Firewall 217315-B
Guide integrated Service Directors
(iSD).
Installing and Using Device Manager Instructions for installing and 316341-D
using the Device Manager
software.
Installing the 8660 Service Delivery Instructions for installing the 8660 217314-B
Module (SDM) SDM and information about field
replacements.
System Messaging Platform A list of error messages from the 315015-E

Reference Guide System Messaging Platform .
Note: For additional configuration examples, refer to Technical

Configuration Guide Service Delivery Module Firewall v1.0, which is
also available from the Nortel Web site.
Getting Started
Using Ethernet Routing Switch documents during

installation
Nortel recommends following the installation process described in this section to
install your Ethernet Routing Switch system. Required documents are listed for
each step.
• “Preparing for initial configuration”

• “Installing the Ethernet Routing Switch software and hardware” on page 26
• “Install the Ethernet Routing Switch 8660 Service Delivery Module into the
8600 chassis using the instructions in Installing the 8660 Service Delivery
Module (SDM) (217314-B).” on page 27
• “Configuring the firewall iSDs” on page 28
• “Installing CheckPoint Management Server” on page 28
Preparing for initial configuration
Before continuing with the installation process, read the following documents that
provide more information about the Ethernet Routing Switch 8600 functionality.
• Getting Started (313189-F).

• Release Notes for the Ethernet Routing Switch 8600 Release 4.1 (317177-D)
(or the latest available version).
• Important Notice about the Ethernet Routing Switch 8600 Series Switch
Modules (316340-E).
Installing the Ethernet Routing Switch software and

hardware
You are now ready to plan the network configuration, and install the hardware and
software related to Ethernet Routing Switch switch.
1 Check that the installed version of Ethernet Routing Switch 8600 software is
release 4.1 or later. Refer to Upgrading to Ethernet Routing Switch 8600
Switch Series Software Release 4.1 (316674-C) if you need to upgrade the
existing software release.
313189-F Rev 00
Chapter 1 Using Ethernet Routing Switch documentation 27
2 Plan the details of your network configuration before continuing. A sample

network configuration is available from Firewall and Intrusion Sensor User’s
Guide (217315-B).
3 Install and configure Device Manager software version 5.8.8.0 or later if you
plan to use the Device Manager to access the Ethernet Routing Switch. Refer
to Installing and Using Device Manager (316341-D) for details.
4 Install the Ethernet Routing Switch 8660 Service Delivery Module into the
Module (SDM) (217314-B).
5 Configuring basic Ethernet Routing Switch SDM settings
Configure the Ethernet Routing Switch 8660 SDM using the CLI or Device
Manager using the following steps. Refer to the Firewall and Intrusion Sensor
User’s Guide (217315-B) for detailed instructions.
1 Create the firewall clusters.

2 Add each firewall iSD to an appropriate cluster.
3 Create the Management Virtual Local Area Network (VLAN.)
4 Create the Sync VLAN. (This step is necessary only if more than one iSD
exists in a cluster.)
5 Create Firewall VLANs for each Firewall interface, and add the Firewall
VLANs to the appropriate clusters.
6 Create Firewall Peering VLANs, and add them to the appropriate clusters.
7 Add an IP address for the Management VLAN on the Ethernet Routing
Switch 8600 switch.
8 Create the VLAN for CheckPoint Management Server.
9 Create the NAAP VLAN for communication between the Ethernet Routing
Switch 8600 and the Firewall iSD.
10 Enable NAAP.
11 Identify the firewall iSD by setting the console slot/port.
Getting Started
Configuring the firewall iSDs

Configure each firewall integrated Service Director (iSD) in your system, as
described in the Firewall and Intrusion Sensor User’s Guide (217315-B). The
actual number of firewall iSDs depends on the Ethernet Routing Switch 8660
SDM configuration (FW1, FW2 or FW4) and how many SDMs are in your
network.
1 Upgrade firewall iSD software, if necessary.
Note: The latest iSD software is preinstalled before shipping. This step
is not necessary for a new installation. If you do need to update the iSD
software, refer to Chapter 11 of the Firewall and Intrusion Sensor User’s
Guide (217315-B).
2 Initialize the firewall iSDs in each cluster.

Select New in the Setup utility for the first iSD from each cluster using Join
for subsequent firewall iSDs in that cluster.
3 Create the Firewall Interface, matching the VLAN IDs to those created in
“Install the Ethernet Routing Switch 8660 Service Delivery Module into the
Module (SDM) (217314-B).” on page 27.
4 Configure the VRRP subaddress and Virtual Router ID (VRID).
5 Configure static routes for the iSD firewalls and SmartCenter server.
6 Add CheckPoint licenses for each iSD.
Installing CheckPoint Management Server
Install the Checkpoint Management Server software as described in Firewall and

Intrusion Sensor User’s Guide (217315-B).
Note: The 15-day trial Checkpoint licenses must be upgraded to ensure

continuous operation. A Checkpoint license is required for each Firewall
iSD and the Checkpoint Management Server.
313189-F Rev 00
29
Chapter 2
Setting up the switch
This chapter describes how to connect a terminal and a modem to the switch, how
to log on to the switch software, how to configure the switch using the Setup
Utility, how to reboot the switch using the command line interface (CLI), and how
to perform basic tasks. This section includes the following topics:
• “Connecting a terminal” on page 31

• “Connecting a modem” on page 32
• “Resetting and modifying passwords” on page 35
• “Modifying the CLI login and passwords” on page 40
• “Enabling or disabling CLI access levels” on page 40
• “Configuring the switch with the Setup Utility” on page 42
• “Rebooting or resetting the switch” on page 49
• “Setting system identification” on page 50
• “Managing files” on page 51
• “Getting Help” on page 54
• “Pinging a device” on page 56
• “Setting and displaying the date” on page 58
• “Accessing the standby CPU” on page 59
• “Exiting and re-entering the CLI” on page 60
The Ethernet Routing Switch supports two CLIs:
• Boot Monitor CLI

• Run-Time CLI
Getting Started
30 Chapter 2 Setting up the switch
Use the Boot Monitor CLI to configure and manage the boot process. You initiate
a Boot Monitor CLI session only through a direct serial-port connection to the
switch. After the Boot Monitor CLI is active, you can access it only through a
console session. Within the Boot Monitor CLI, you can change the boot
configuration, including boot choices and boot flags.
You access the Run-Time CLI through a direct serial-port connection to the switch
or through a Telnet, SSH (Secure Shell), or remote login (Rlogin) session (if the
flags for Telnet and Rlogin are set to allow remote access). Ethernet Routing
Switch modules support one CLI session at the console serial port or up to eight
Telnet/SSH sessions. You can open a Telnet session from Device Manager by
clicking on the Telnet button on the toolbar or choosing Device > Telnet from the
menu bar.
Caution: Telnet, File transfer Protocol (FTP), Trivial File Transfer

Protocol (TFTP), Simple Network Management Protocol (SNMP)
version 1 (v1)/version2 (v2), and Rlogin are nonsecure protocols whose
content can be easily read and modified by using some well known tools.
Nortel strongly recommends that you use secure protocols and features
such as SSH version 2 (SSHv2) (using 3 Data Encryption Standard
[DES]), SNMP version 3 (v3) (using Advanced Encryption Standard
[AES] or DES) and Secure CoPy (SCP) to transfer files between the
switch and a remote station.
For more information about the Boot Monitor and Run-Time CLIs, see Managing
Platform Operations (315545-E). For more information about Device Manager,
see Installing and Using Device Manager (316341-D).
You can use any terminal or personal computer (PC) with a terminal emulator as
the CLI console station. For instructions to connect the computer or terminal, see
the next section, “Connecting a terminal” on page 31.
313189-F Rev 00
Chapter 2 Setting up the switch 31
Connecting a terminal
The serial console interface is an RS-232 port that connects to a PC or terminal for
monitoring and configuring the switch. The port is implemented as a DB-9
connector that can operate as either data terminal equipment (DTE) or data
communication equipment (DCE). The default communication protocol settings
for the console port are:
• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
To use the console port, you need the following equipment:
• A terminal or TTY-compatible terminal, or a portable computer with a serial

port and terminal-emulation software
• A UL-listed straight-through or null modem RS-232 cable with a female
DB-9 connector for the console port on the switch
The other end of the cable must have a connector appropriate to the serial port
on your computer or terminal. (Most computers or terminals use a male
DB-25 connector.)
Null modem cable is provided with the chassis. You can use either null
modem cable or straight-through cable, depending on the DT/DCE switch
position.
Any cable connected to the console port must be shielded to comply with
emissions regulations and requirements.
To connect a computer or terminal to the Console port:
1 Set the terminal protocol as follows:

• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
2 Connect the RS-232 cable to the console port.
Getting Started
3 Connect the other end of the cable to the terminal or computer serial port.
4 Turn on the terminal.
5 Log on to the CLI (“Resetting and modifying passwords” on page 35).
Connecting a modem
You can access the CLI through a modem connection to the Ethernet Routing
Switch 8690SF, 8691SF, or 8692SF modules. This section describes how to
connect a modem to the modem port on the module.
To set up modem access, you need a DTE-to-DCE cable (straight or transmit

cable) to connect the Ethernet Routing Switch to the modem. Table 2 shows the
DTE-to-DCE pin assignments.
Table 2 DTE-to-DCE straight-through pin assignments
Switch Modem
Signal Pin DCE DB-9 DCE DB-25
number pin number pin number
RXD 2 2 3
TXD 3 3 2
DTR 4 4 20
GND 5 5 7
DSR 6 6 6
RTS 7 7 4
CTS 8 8 5
The modem port is a DTE device operating at 9600 baud, 8 data bits, no parity,
and one stop bit. Because the modem port expects to receive Data Set Ready
(DSR) and Clear To Send (CTS) signals before transmitting, these control lines
are required in the cables. The modem port supports no inbound flow control; that
is, the port does not turn on and turn off control lines to indicate the input buffer is
full.
313189-F Rev 00
To connect a modem to an Ethernet Routing Switch you might need to set up the
modem port first using another type of connection to the CLI.
Note: Nortel recommends that you use the default settings for the
Modem port for most modem installations.
To set up the modem port using the Ethernet Routing Switch CLI:
1 In the Run-Time CLI, enter the following command:

config bootconfig sio modem
Now you can enter options for this command level without retyping the first
part of the command.
2 Use the following commands to set port parameters based on the requirements
of the modem:
• baud <rate>
where:
rate is the baud rate for the modem. The default is 9600.
• 8databits <true|false>
where:
false sets the number of data bits per byte to 8. This setting is the
default.
true sets the number of data bits per byte to 7.
• mode <ascii|slip|ppp>
where:
ascii is the default setting. This setting is recommended for most
modem connections.
slip sets the port for serial line IP (SLIP) operation.
ppp sets the port for point-to-point protocol (PPP) operation.
Getting Started
For information about the configuration requirements of your modem, refer to

the documentation that was shipped with the modem.
Caution: Nortel recommends that before you configure SLIP or PPP,

you become familiar with these protocols.
3 If you set the port mode to slip, use the following commands to set other
SLIP parameters:
• slip-compression <true|false> to enable or disable Transmission
Control Protocol (TCP)/IP header compression. The default is false.
• slip-rx-compression <true|false> to enable or disable TCP/IP
header compression on the receive packet. The default is false.
4 If you set the port mode to ppp, use the following commands to set other PPP
parameters:
• mtu <bytes> to set the maximum transmission unit for the
point-to-point link. The default is zero (0).
• my-ip <ipaddr> to set the near-end IP address on the point-to-point
link. The default is 0.0.0.0.
• peer-ip <ipaddr> to set the peer IP address on the point-to-point link.
The default is 0.0.0.0.
• pppfile <file> to identify the file to use for PPP initialization
parameters.
5 On the modem, turn off echo mode and return code messaging.
6 Connect the modem to the modem port using a cable with the connector
described in Table 2 on page 32.
313189-F Rev 00
Password encryption
In the Ethernet Routing Switch 8600 Software Release 4.1, passwords are stored
in encrypted format and are no longer stored in the configuration file.
Caution: If you load a configuration file saved prior to Software

Release 3.7.6, saved passwords from the configuration file are not
recognized. If you boot the switch for the first time with the Software
Release 3.7.6 or higher image, the password is reset to default values and
a log is generated, indicating any changes.
Note: For security reasons, Nortel recommends setting the passwords to

values other than the factory defaults.
Resetting and modifying passwords
You can modify the passwords using the two CLI modes:
Boot monitor CLI
To reset the all passwords to the factory defaults, enter the following command at
the boot monitor prompt:
reset-passwd
Run time CLI
To change the passwords, enter the following commands:
config cli password <access-level> <username>

Enter the old password:
Enter the new password:
Re-enter the new password:
Getting Started
Note: All passwords are case-sensitive.
You can find more information on this enhancement in Configuring and

Managing Security (314724E).
Logging on to the system

The basic switch configuration procedures in this chapter use the Run-Time CLI.
When the switchboot sequence is complete, the login prompt appears. Table 3
shows the default values for login and password for the console and Telnet
sessions.
Table 3 Access levels and default login values
Default Default
Access level Description
login password
Read-only Permits view only configuration and status ro ro

information. Is equivalent to Simple
Network Management Protocol (SNMP)
read-only community access.
Layer 1read/write View most switch configuration and status l1 l1
information and change physical port
settings.
Layer 2 read/write View and change configuration and status l2 l2
information for layer 2 (bridging/switching)
functions.
Layer 3 read/write View and change configuration and status l3 l3
(8600 switches only) information for layer 2 and layer 3 (routing)
functions.
313189-F Rev 00
Table 3 Access levels and default login values (continued)
Default Default
Access level Description
login password
Read/write View and change configuration and status rw rw
information across the switch; does not
allow changing security and password
settings. Is equivalent to SNMP read-write
community access.
Read/write/all Permits all the rights of Read-Write rwa rwa
access and the ability to change security
settings, including the CLI and Web-based
management user names and passwords
and the SNMP community strings.
hsecure bootconfig flag
The Ethernet Routing Switch supports the flag, called High Secure (hsecure)
configurable in bootconfig mode. This flag introduces the following behaviors for
the password: 10 characters enforcement, aging time, limitation of failed login
attempts, and a protection mechanism to filter certain IP addresses.
When the hsecure flag is enabled, the software enforces the 10-character rule for
all passwords. When you upgrade from a previous release, if the password does
not have at least 10 characters, you are prompted to change your password to the
mandatory character length. This password must contain a minimum of two
uppercase characters, two lowercase characters, two numbers, and two special
characters.
Enabling or disabling hsecure
To enable (or disable) hsecure, run the CLI command:
config bootconfig flag hsecure [true|false]
A warning message appears, prompting you to reboot the switch for the change to
take effect:
Warning: Please save boot configuration and reboot the switch for
this to take effect.
Getting Started
Changing an invalid-length password
After you enable hsecure and reboot the switch, any user with an invalid-length
password is prompted to change their password:
Login: rwa
Password: ***
Your password is valid but less than mandatory 10 characters.
Please change the password to continue.
Enter the New password : **********
Re-enter the New password : **********
Password changed successfully
New default passwords and community strings
If the switch boots in hsecure mode by default factory settings, with no password
previously configured, the default passwords are changed to respect this rule.
Table 4 describes the new default passwords.
Table 4 New default setting passwords
User ID New default password
rwa rwarwarrwar
rw rwrwrwrwrw
ro rororororo
l3 l3l3l3l3l3
l2 l2l2l2l2l2
l1 l1l1l1l1l1
l4admin l4adminl4a
slbadmin slbadminsl
oper operoperop
l4oper l4operl4op
slboper slboperslb
ssladmin ssladminss
313189-F Rev 00
Table 5 describes the new default community strings.
Table 5 New default community strings
ro publiconly
l1 privateonly
l2 privateonly
l3 privateonly
rw privateonly
rwa secretonly
Aging enforcement
When you enable the hsecure flag, after a certain duration (configurable,
default = 90 days), you are asked to change your password, as described
previously.
The aging parameter is configurable by executing the CLI command shown in the
following display:
ERS-8610:5# config cli password aging <days>

Set age-out time for passwords
Required parameters: <days> = age-out time for passwords/
community strings {1..365}
Command syntax: aging <days>
Note: For SNMP and FTP, when a password expires, access is denied.
Community strings must be changed to a new string made up of more than
8 characters before accessing the system.
Consider the following when the hsecure flag is enabled:
• The Web server cannot be enabled at any time

• The SSH password-authentication cannot be enabled at any time.
Getting Started
Filtering mechanism
In this release, incorrect IP source addresses as network or broadcast addresses are

now filtered at the virtual router interface. For example:
V1 has the network address 192.168.168.0/24
Note: Note that this change is valid for all IP subnets, not only for /24 as
mentioned in the example. Source addresses 192.168.168.0 and
192.168.168.255 are discarded.
This filtering is performed only if the hsecure mode is enabled.
Modifying the CLI login and passwords

If you have read/write/all access permission, you can modify the CLI login and
passwords using the config cli password command. You can also change the
CLI login and passwords using Device Manager. For complete instructions to
change the CLI login and password using the NNCLI, Ethernet Routing Switch
CLI, or Device Manager, see Configuring and Managing Security (314724-E).
Enabling or disabling CLI access levels

Use this feature to enable or disable users with particular access levels on an
Ethernet Routing Switch 8600, thereby eliminating the overhead of maintaining
large numbers of access levels and passwords for each user.
A user trying to logon with a disabled access level through any means, for
example, FTP, SCP, SSH, Rlogin or TELNET is denied access to the switch. The
following error message is displayed when a user tries to log in with an access
level that is blocked:
Code=0x1ff0009 Blocked unauthorized cli access.
313189-F Rev 00
A message is logged to the log file with the following information:
User <user-name> tried to connect with blocked access level

<access-level> from <src-ipaddress> via <login type>.
The message logged to the log file for console/modem port is:
User <user-name> tried to connect with blocked access level

<access-level> from <console/modem> port.
RADIUS authentication takes precedence over the local configuration. If radius

authentication is enabled on the switch, the user can access the switch even if an
access level is blocked on the switch.
If a user disables an access level, all the running sessions with that access level to
the switch are terminated except FTP sessions.
The CLI command to enable or disable access level on a switch is:
config cli password access-level <access-level>

<enable|disable>.
where:
• access-level is the required access level with a string length of 2 to 8.

• enable|disable blocks or allows this access level. The default value of the
parameter is enable.
Note: Only the RWA user can disable any particular access level on the
switch. The RWA access level cannot be disabled on the switch.
These configurations are preserved across reboots.
Device Manager support is available for this feature under Security > Control Path
> CLI.
Getting Started
Configuring the switch with the Setup Utility

To enhance the function of the Ethernet Routing Switch 8600 Series, Nortel offers
a growing list of hardware modules. Because the latest modules have advanced
features, they work in certain operation modes that earlier modules do not support.
The Setup Utility monitors system requirements and obtains the highest system
performance.
The Setup Utility helps you configure your switch by asking you a series of
questions. Then it saves the information in the boot and runtime configuration
files. This saved information and these files ensure that your switch reboots in the
desired operating mode. The Setup Utility also displays error and warning
messages to advise you of the ramifications of certain hardware and software
configurations.
This section describes how to use the Setup Utility to configure the boot and
run-time configuration files. For detailed information about the supported
operating modes, see Managing Platform Operations (315545-E).
Running the Setup Utility
The Setup Utility prompts you through the configuration process by asking a
series of questions. Answer each question or accept the default by pressing Enter.
Each question shows the default in brackets and the acceptable parameter options
in parenthesis. For more information about the individual prompts, see Table 6 on
page 46.
To start and use the Ethernet Routing Switch Setup Utility, enter the following
command:
install
Note: After running the Setup Utility, remember to reboot the switch. See
the following section,“Rebooting or resetting the switch” on page 49 for
instructions.
313189-F Rev 00
Configuration example: setup utility
Figure 1 on page 43, Figure 2 on page 44, and Figure 3 on page 45 show sample
output from the setup utility. In this example, the defaults have been accepted.
Figure 1 setup utility command sample output
ERS-8606:5#
ERS-8606:5# install
################################################################
Welcome to ERS 8000 setup utility. You are about to
configure initial configuration of the switch. Part of the data will
be stored in the file /flash/boot.cfg and part will be stored in
runtime configuration file. Please reboot the switch after initial
configuration
Several of these commands do not require a reboot and can be

applied dynamically through CLI
################################################################
Do you want to continue (y/n) ? y

#################
System Parameters
#################
#
Please provide primary config-file path [/flash/SN1.cfg]:
Please provide primary image-file path [/flash/p80a4100.img]:
Please add system prompt [ERS-8606]:
Please select CPU Master slot (5/6) [5]:
Master CPU mgmt port: autonegotiation [n] (y/n) ?
speed (10/100) [10]:
Do you want to enable automatic savetostandby mode [n] (y/n) ?
Do you want to enable m-mode support [n] (y/n) ?
Do you want to enable enhanced operation mode support [n] (y/n) ?
Do you want to enable CPU High Availability mode [n] (y/n) ?
Do you want to enable vlan-optimization-mode support [n] (y/n) ?
Do you want to enable r-mode support [n] (y/n) ?
#
1 - Primary configuration file path (/flash/SN1.cfg)->/flash/
SN1.cfg
2 - Primary image file path (/flash/p80a4100.img)->/
flash/p80a4100.img
3 - CLI prompt (ERS-8606)->ERS-8606
4 - Master CPU selection (5)->5
Getting Started
Figure 2 setup utility command sample output continued
5 - Master CPU Mgmt port autonegotiation (false)->false

‘6 - Master CPU Mgmt port speed (10)->10
7 - Automatic save to Standby (false)->false
8 - Support for M-mode (false)->false’
9 - Support for enhanced operation mode (false)->false
10 - High Availability mode (false)->false
11 - Support for vlan-optimization-mode (false)->false
12 - Support for R-mode (false)->false
#
Please type the line-number you want to change
OR "0" to save & quit at this stage
OR hit return to continue [-1]:
Syncing autoneg
HA-CPU change will be applied at the end of this session only if you choose to
save configuration
#################
System Services
#################
#
Do you want to enable FTP [n] (y/n) ? y
Do you want to enable RLOGIN [n] (y/n) ? y
Do you want to enable TELNET [n] (y/n) ? y
Do you want to enable TFTP [n] (y/n) ? y
Do you want to enable WEB server service [n] (y/n) ? y
#
1 - FTP server service (true)->true
2 - RLOGIN server service (false)->true
3 - TELNET server service (true)->true
4 - TFTP server service (true)->true
5 - WEB server service (false)->true
#

#######################
IP Network connectivity
#######################
313189-F Rev 00
Figure 3 setup utility command sample output concluded
IP Address for mgmt port in first CPU Slot [10.127.231.15/255.255.255.0]:

IP Address for mgmt port in second CPU Slot [10.127.231.15/255.255.255.0]:
IP Address for mgmt-virtual-ip [0.0.0.0/0.0.0.0]:
First net mgmt route [172.16.0.0:10.127.231.1]:
Second net mgmt route [134.177.0.0:10.127.231.1]:
Third net mgmt route [10.0.0.0:10.127.231.1]:
Fourth net mgmt route [11.0.0.0:10.127.231.1]:
IP address of the default VLAN [0.0.0.0/0.0.0.0]:
#
1 - Management port Ip Address for first CPU slot (10.127.231.15/
255.255.255.0)->10.127.231.15/255.255.255.0
2 - Management port Ip Address for second CPU slot (10.127.231.15/
255.255.255.0)->10.127.231.15/255.255.255.0
3 - Virtual management port Ip Address (0.0.0.0/
0.0.0.0)->0.0.0.0/0.0.0.0
4 - First static route for management port
(172.16.0.0:10.127.231.1)->172.16.0.0:10.127.231.1
5 - Second static route for management port
(134.177.0.0:10.127.231.1)->134.177.0.0:10.127.231.1
6 - Third static route for management port
(10.0.0.0:10.127.231.1)->10.0.0.0:10.127.231.1
7 - Fourth static route for management port
(11.0.0.0:10.127.231.1)->11.0.0.0:10.127.231.1
8 - IP address of the default VLAN (0.0.0.0/
0.0.0.0)->0.0.0.0/0.0.0.0
#

Do you want to save the changes

[Saving the parameters will update the files
/flash/boot.cfg and /flash/SN1.cfg
] (y/n) ? n
WARNING: The change made will take effect only after

the configuration is saved and the full chassis is rebooted.
This feature is not applicable to 8690SF/CPU cards.
All non-M modules will be taken off-line if m-mode is enabled.
WARNING:The change made will take effect only after

the configuration is saved and the full chassis is rebooted.
Getting Started
Table 6 Setup utility prompt descriptions
Prompt Description/Action
Please provide primary config-file path Description: Indicates the name of the primary configuration
[/flash/config.cfg]: file.
Action: Press Enter to accept the default (/flash/config.cfg), or
enter a different file name for the primary configuration file. To
store your config file on the PCMCIA card, use /PCMCIA/
config.cfg. Specifying the path to the file is optional.
Please provide primary image-file path Description: Indicates the name of the primary image file.
[/flash/p80a4100.img]: Action: Press Enter to accept the default (p80a4100.img), or
enter a different file name for the primary image file.
Specifying the path to the file is optional. If your runtime image
resides on your PCMCIA card, you must specify the /PCMCIA/
filename.
Please add system prompt [ERS-8606]: Description: Specifies the text for the prompt.
Action: Press Enter to accept the default (ERS-8610), or
enter a different string of up to 20 characters.
Please select CPU Master slot (5/6) [5]: Description: Indicates the slot number of the master central
processing unit (CPU).
Action: Press Enter to accept the default (5), or specify 6 for
the master CPU slot.
Master CPU mgmt port: autonegotiation [n] Description: Specifies whether you want the master CPU to
(y/n)? use autonegotiation.
Action: Enter n to accept the default, or enter y to indicate
that you want the master CPU management port to use
autonegotiation.
speed (10/100) [10]: Description: Specifies the line speed in Mbps.
Action: Press Enter to accept the default (10 Mbps), or
specify 100 Mbps.
Do you want to enable automatic Description: Specifies whether you want the boot and
savetostandby mode [n] (y/n)? run-time configuration files to be saved on the backup CPU.
Action: Enter y if you want the boot and runtime configuration
files to be saved on the backup CPU. Accept the default (n), if
you want the boot and runtime configuration files to be saved
on the primary CPU.
313189-F Rev 00
Do you want to enable m-mode support [n] Description: Specifies whether you want the chassis to run in
(y/n)? 128 K mode. To run in 128 K mode, the CPU module must be
an 8691 or higher and the switch must have at least one 8600
module (128 K module).
Note: If you enable m-mode support and you have a mixed
configuration of modules, the E-modules and legacy modules
are disabled.
Action: Enter y if you want the chassis to run in 128 K M
mode. Accept the default (n), if you want it to run in 32 K mode
only.
Do you want to enable enhanced operation Description: Specifies whether you want to enable enhanced
mode support [n] (y/n)? operation mode. Enhanced operation mode increases the
maximum number of VLANs when using MultiLink Trunking
(MLT) (1980) and Split MLT (SMLT) (989). This mode requires
8600 E- or M-modules.
Note: If you enable enhanced operation mode and you have a
mixed configuration of modules, the legacy modules (neither
E- nor M-modules) are disabled.
Action: Enter y if you want to enable enhanced operation
mode. Accept the default (n), if you do not want to enable
enhanced operation mode.
Do you want to enable CPU High Availability Description: Specifies whether you want to enable CPU high
mode [n] (y/n)? availability (HA) mode. CPU HA mode enables switches with
two CPUs to recover quickly from a failure of one of the CPUs.
In HA mode, also called hot standby, the two CPUs are
synchronized, meaning that the CPUs are compatible and
configured in the same mode.
Action: Specify y if you want to enable CPU high availability
(HA) mode. Accept the default (n), if you do not want to enable
CPU HA mode.
Do you want to enable Description: Specifies whether you want to enable support
vlan-optimization-mode support [n] (y/n) ? for the VLAN optimization mode.
Action: Specify y if you want to enable
vlan-optimization-mode support. Accept the default (n) if you
do not want to enable vlan-optimization-mode support.
Do you want to enable r-mode support [n] Description: Specifies whether you want to enable support
(y/n) ? for the r-mode support.
Action: Specify y if you want to enable r-mode support.
Accept the default (n) if you do not want to enable r-mode
support.
Do you want to enable FTP [n] (y/n)? Description: Specifies whether you want users to access the
switch using File transfer Protocol (FTP).
Action: Enter y if you want to enable FTP for remote users.
Accept the default (n), if you do not want to enable FTP.
Getting Started
Do you want to enable RLOGIN [n] (y/n)? Description: Specifies whether you want users to access the
switch using Rlogin.
Action: Enter y if you want to enable Rlogin for remote users.
Accept the default (n), if you do not want to enable Rlogin.
Do you want to enable TELNET [n] (y/n)? Description: Specifies whether you want users to access the
switch using Telnet.
Action: Enter y if you want to enable Telnet. Accept the
default (n), if you do not want to enable Telnet.
Do you want to enable TFTP [n] (y/n)? Description: Specifies whether you want user to access the
switch using Trivial FTP (TFTP).
Action: Enter y if you want to enable TFTP. Accept the default
(n), if you do not want to enable TFTP.
Do you want to enable WEB server service Description: Specifies whether you want to enable Web
[n] (y/n)? server service. The Web server service allows you to monitor
statistics for the switch using your Web browser.
Action: Enter y if you want to enable Web server service.
Accept the default (n), if you do not want to enable Web server
service.
IP Address for mgmt port in first CPU Slot Description: Indicates the IP address for the management
[192.168.168.168/255.255.2.55.0]: port in the specified CPU slot.
Action: Enter the IP address of the management port in the
first CPU slot.
IP Address for mgmt port in second CPU Description: Indicates the IP address for the management
Slot [192.168.168.169/255.255.255.0]: port in the specified CPU slot.
Action: Enter the IP address of the management port in the
second CPU slot
IP Address for mgmt-virtual-ip Description: Indicates the IP address for the virtual
[0.0.0.0/0.0.0.0]: management port.
Action: Enter the IP address of the virtual management port.
Accept the default, 0.0.0.0/0.0.0.0, if you do not want to
specify an IP address.
First net mgmt route [0.0.0.0:0.0.0.0]: Description: Specifies the IP address of the first network
management route (static route from the network
management port to a device in the network).
Action: Enter the network and gateway IP address of the first
network management route.
Second net mgmt route [0.0.0.0:0.0.0.0]: Description: Specifies the IP address of the second network
management route.
Action: Enter the IP address of the second network
313189-F Rev 00
Third net mgmt route [0.0.0.0:0.0.0.0]: Description: Specifies the IP address of the third network
management route.
Action: Enter the IP address of the third network
Fourth net mgmt route [0.0.0.0:0.0.0.0]: Description: Specifies the IP address of the fourth network
management route.
Action: Enter an IP address of the fourth network
IP address of the default VLAN Description: Specifies the IP address of the default Virtual
[0.0.0.0/0.0.0.0]: Local Area Network (vLAN).
Action: Enter the IP address of the default VLAN.
Do you want to save the changes Description: Saves your changes to the boot and run-time
[Saving the parameters updates the files / configuration files.
flash/boot.cfg and /flash/dvmrp_pol.cfg] (y/ Action: Enter y to save the boot and runtime configuration
n)? files. Enter n if you do not want to save your changes.
Rebooting or resetting the switch

When you reboot the system, you can specify the boot source (flash, PCMCIA
card, or TFTP server) and file name. If you do not specify a device and file, the
Run-Time CLI uses the software and configuration files on the primary boot
device that is defined by the Boot Monitor choice command.
To reboot the system, use the following system command:
boot [<file>] [config <value>] [-y]
where:
• file is the software image device and file name in the format:
[a.b.c.d:]<file> | /pcmcia/<file> | /flash/<file>. The file name, including the
directory structure, can be up to 1024 characters.
• config <value> is the software configuration device and file name in the
format: [a.b.c.d:]<file> | /pcmcia/<file> | /flash/<file>. The file name,
including the directory structure, can be up to 1024 characters.
Getting Started
• -y suppresses the confirmation message before the switch reboots. If you

omit this parameter, you are asked to confirm the action before the switch
reboots.
To boot the switch using the BootStrap Protocol (BootP), use the following
command:
boot 0.0.0.0
Note: Entering the boot command with no arguments causes the switch
to boot using the current boot choices defined by the choice command
(next).
You can reset the switch by using the following command:
reset
When you reset the switch, the most recently saved configuration file is used to
reload the system parameters.
Cold boot/warm boot trap messages
When the switch reboots normally, a cold trap is sent within 45 seconds after a
reboot. If a single strand fiber (SSF) switchover occurs, a warm-start management
trap is sent within 45 seconds of a reboot.
Setting system identification

System identification parameters specify the system name, contact person, and
location.
To set the system identification:
1 Specify the system name by entering:

config sys set name <prompt>
313189-F Rev 00
where:
prompt is an ASCII string specifying the system name.
2 Specify the name of the contact person for the switch by entering:
config sys set contact <contact>
where:
contact is an ASCII string specifying the name of the person.
3 Define the location for the system with the command:

config sys set location <location>
where:
location is an ASCII string specifying the system location.
Managing files
The CLI includes file management commands for working with the switch files.
Use these commands for all the basic operations of any file system. The
commands take the general form of command [arguments]. Both the
commands and the arguments can be abbreviated as long as the abbreviation is not
ambiguous. Table 7 summarizes the file system commands.
Table 7 File system commands
Command Description
directory Lists contents of onboard flash memory or a PCMCIA card.

copy Copies a file.
rename Renames a file.
save Saves the running configuration to a file.
Getting Started
Displaying a directory
To display the contents of the flash and PCMCIA memory, use the following
command:
directory [<dir>] [-l>]
where:
• dir specifies either flash or PCMCIA in the form /flash or /pcmcia.

• -l displays file details if you specify a path name.
When you invoke the directory command with no arguments, the contents of
all flash devices appear. When you specify flash or PCMCIA, directory only
the contents of that device appear.
Note: When you use the dir command, the CLI displays all file names
under the parent directory, rather than under the subdirectory.
Copying files
To copy a file, use the following command:
copy <srcfile> <dstfile>
where:
• srcfile is the source file in the format

{a.b.c.d:|peer:|/pcmcia/|/flash/}<file> and file is the filename of the
source file.
• dstfile is the destination file, that is, the copy in the format {a.b.c.d:|peer:|/
pcmcia/xxx|/flash/xxx}<file> and file is the filename of the destination
file.
You can use the copy command to copy a run-time image to flash memory from a
remote TFTP server. The command format for this operation is:
copy <ip_address>:<filename> <destination>
313189-F Rev 00
where:
• ip_address:filename is the source argument that specifies the IP address

of the remote TFTP server and the name of the file to be copied.
• destination specifies the name of the copied file in its new location.
Configuration examples
Copying a runtime image from a TFTP server to a local flash:
ERS-8610:5# copy 192.168.249.10:p80a4100.img /flash/

p80a4100.img
Copying a runtime image from TFTP server to a local PCMCIA:
ERS-8610:5# copy 192.168.249.10:p80a4100.img /pcmcia/

p80a4100.img
Copying a runtime image from PCMCIA to a local flash:
ERS-8610:5# copy /pcmcia/p80a4100.img /flash/p80a4100.img
Copying a runtime image from CPU-Slot5 flash to CPU-Slot6 flash:
ERS-8610:5# copy /flash/p80a4100.img 127.0.0.6:/flash/

p80a4100.img
Note: The IP address for CPU-Slot5 is 127.0.0.5; the IP address for

CPU-Slot5 is 127.0.0.6.
Copying a runtime configuration file to a TFTP server:
ERS-8610:5# copy /flash/config.cfg 192.168.249.10:config.cfg
Getting Started
Saving the configuration to a file
To save the running configuration to a file, use the following command:
save <savetype> [file <value>] [verbose] [standby <value>]

[backup <value>]
where:
• savetype specifies the type of file to save; options are config,

bootconfig, log, and trace.
• file <value> is the file name.
• verbose saves default and current configuration. If you omit the [verbose]
parameter, only the current configuration is saved.
• standby <value> saves the specified file name to the standby CPU.
• backup <value> saves the specified file name and identifies the file as a
backup file.
Getting Help
When you navigate the Boot Monitor and Run-Time CLI, online Help is available
at all levels. From any level of the tree, you can access Help in one of these four
ways:
• Typing help <command> explains what the command does and gives its
syntax (Figure 4).
Figure 4 help clear command sample output
ERS-8606:5# help clear

clear commands
atm clear atm stats
filter clear filter stats
ip clear ip information
mlt clear mlt stats
ports clear port stats
telnet kill telnet sessions
ERS-8606:5#ERS-8606:5# help clear
313189-F Rev 00
• Typing the word help at the system prompt provides an explanation of the
available help (Figure 5).
Figure 5 help command sample output
ERS-8606:5# help
Eight forms of help are available in the system.
1. Typing "help" describes help features
2. Typing "help commands" provides a list of

commands you can enter from the current prompt.
3. Typing "help ttychars" provides a list of

special terminal editing characters.
4. Typing "syntax" displays a path list

of commands and parameters available from the
current prompt or <command> forward.
5. Typing "help <command>" or "<command> help" describes

a specific command or provides a list of sub-commands
you can enter from with-in <command>.
6. Typing "?" displays the sub and current context

commands available from the current prompt.
7. Typing "<command> ?" displays the sub and current

context commands available from the current prompt
if the command is a intermediate node in the command

tree structure, otherwise, displays parameter help
for the command.
8. Typing "<command?>" displays a list of commands

that will match the characters entered.
ERS-8606:5#
• Typing <command> syntax displays a list of commands and parameters

available for that command (Figure 6 on page 56).
Getting Started
Figure 6 clear syntax command sample output
ERS-8606:5# clear syntax

atm elan-stats [<ports>] [<vlan id>]
atm f5-stats [<ports>]
atm port-stats [<ports>]
filter acl statistics default [<acl-id>]
filter acl statistics port [<acl-id>]
ip arp ports <port>
ip arp vlan <vid>
ip ipfix exporter-statistics [<slots>]
ip ipfix hash-stats [<slots>]
ip route ports <port>
ip route vlan <vid>
ip vrrp ports <ports> vrid <value>
ip vrrp vlan <vid> vrid <value>
mlt ist stats
ports stats [<ports>]
telnet <session id>
ERS-8606:5#
• Typing a question mark (?) at the prompt results in a list of all commands in
that command context and the subcontext of that command.
Pinging a device
When you ping a device, an Internet Control Message Protocol (ICMP) packet is
sent from the switch to the target device. If the device receives the packet, it sends
a ping reply. When the switch receives the reply, the switch displays a message
indicating that the specified IP address is alive. If no reply is received, a message
indicates that the address is not responding.
To test the connection between the Ethernet Routing Switch and another network
device, use the following command:
ping <HostName/ipv4address/ipv6address> [scopeid <value>]

[datasize <value>] [count <value>] [-s] [-I <value>]
[-t <value>] [-d]
313189-F Rev 00
where:
• HostName/ipv4address/ipv6address is the Host Name or IPv4

(a.b.c.d) or IPv6 (x:x:x:x:x:x:x:x) address {string length 1..256}.
Optional parameters:
• scopeid value is the circuit ID (for IPv6) (1 to 9999).
• datasize value is the size of ping data sent in bytes (for IPv4) (16 to
1876).
• count value is the number of times to ping (for IPv4) (1 to 9999).
• -s sets the continuous ping at the interval rate defined by the [-I] parameter
(for IPv4).
• -I value is the interval between transmissions in seconds (1 to 60).
• -t value is the no-answer time-out value in seconds (1 to 120)(for IPv4).
• -d sets ping debug mode (for IPv4).
To specify a count for the ping operation, you must also specify a size. For
example:
ping 10.5.5.5 1600 5
Figure 7 shows output from the ping command.
Figure 7 ping command sample output
monitor# ping 10.10.81.18

10.10.81.18 is alive
You can test an IPX network connection by using the following command:
pingipx <ipxhost> [<count>] [-s] [-q] [-t <value>]
where:
• ipxhost is the IP address of the network node you are pinging.

• count is the number of times to ping the host (1 to 9999).
• -s is a continuous ping.
Getting Started
• -q is quiet output (same as nonverbose mode).

• -t value is the no-answer time-out value in seconds (1 to 120).
Setting and displaying the date

To set the calendar time in the form of month, day, year, hour, minute, and second,
use the following command:
config setdate <MMddyyyyhhmmss>
You must be logged in as rwa to use this command.
Configuration example: setting system date
Figure 8 is sample output using the setdate command to set the system date.
Figure 8 config setdate command sample output
ERS-8606:5# config setdate 06062002191200

local time: THU JUN 06 19:12:00 2002 UTC
utc time: THU JUN 06 19:12:00 2002 UTC
ERS-8606:5#
To view the current date settings for the switch, use one of the following
commands:
date
or
show date
Figure 9 on page 59 shows sample output for the date command.
313189-F Rev 00
Figure 9 date command sample output
ERS-8606:5# date
local time: MON OCT 13 18:41:36 2003 UTC
hardware time: MON OCT 13 18:41:36 2003 UTC
ERS-8606:5#
Accessing the standby CPU

To use Telnet or Rlogin to access the standby CPU, use the following command:
peer <operation>
where:
operation is either Telnet or Rlogin.
Note: Before you attempt to use a telnet session to access the backup
CPU, the telnet daemon must be enabled; otherwise, the action cannot be
completed.
You can use this command to make changes to the standby CPU without
reconnecting to the console port on that module.
Note: You must set an Rlogin access policy on the standby CPU before
you can use the peer command to access it from the master CPU using
Rlogin. To set an access policy on the standby CPU, connect a terminal
to the Console port on the standby CPU. For more information about the
access policy commands, see Configuring and Managing Security
(314724-E).
Getting Started
Exiting and re-entering the CLI

To end your CLI session, enter one of the following commands:
quit
logout
exit
To log back in to the CLI, use the login command.
313189-F Rev 00
61
Chapter 3
Setting up the switch for remote management
This chapter describes how to assign an Internet Protocol (IP) address to the
management port, configure Simple Network Management Protocol (SNMP)
settings, and enable remote management services. This section includes the
following topics:
• “Assigning an IP address to the management port” on page 62

• “Setting security features” on page 65
• “Enabling remote access services using CLI” on page 65
• “Monitoring the switch using Web management” on page 67
• “Managing the switch using Device Manager” on page 67
Getting Started
62 Chapter 3 Setting up the switch for remote management
Assigning an IP address to the management port

You must assign an IIP address to the management port before you can use it for
out-of-band management. In a switch with redundant 8690, 8691, or 8692
modules, each management port has a specific IP address. In addition, you can
create a virtual management port with an IP address that is available to the master
management module.
The master management module replies to all management requests sent to the
virtual IP address, as well as to requests sent to its management port IP address. If
the master management module fails and the backup management module takes
over, the virtual management port IP address continues to provide management
access to the switch.
To assign an IP address to the management port, use the following command:
config bootconfig net mgmt ip <ipaddr/mask> [cpu-slot

<value>]
where:
• ipaddr/mask specifies the IP address and subnet mask of the management

port (for example, 10.127.231.15/255.255.255.0).
• cpu-slot <value> specifies the switching fabric module (8690SF,
8691SF, or 8692SF), either slot 5 or slot 6. If you do not specify a slot number
for the IP address, a slot number is assigned to the currently active
management module.
Note: The standby IP must be in the same subnet as the master IP.
If you use the command line interface (CLI), you cannot set the standby
IP to a different subnet than the master IP, and you receive a warning
message stating this.
If you use Device Manager, you can set the standby IP to a different
subnet than the master IP, and you do not receive a warning message.
313189-F Rev 00
Chapter 3 Setting up the switch for remote management 63
To assign an IP address to the virtual management port, use the following

command:
config sys set mgmt-virtual-ip <ipaddr/mask>
where:
ipaddr/mask is the IP address and subnet mask you assign.
Any time you change the boot configuration, you must save the changes to both
the master and the standby management modules.
To save the boot configuration:
1 Enter:
save bootconfig standby <boot.cfg>
where:
boot.cfg is the name of the configuration file.
2 Enter:
save config standby <config.cfg>
where:
config.cfg is the name of the configuration file.
Assigning static routes to the management interface

You can specify up to four separate static routes for the management interface.
For more information about static routes, see Configuring IP Routing Operations
(314720-F).
To specify a gateway address route from the runtime CLI, use the following
command:
config bootconfig net mgmt route add <netaddr/mask>

<gateway>
Getting Started
In each of these commands, the parameters are defined as follows:
• netaddr/mask is the IP address and mask of the destination network in the

formats a.b.c.d/x | a.b.c.d/x.x.x.x | default.
• gateway is the IP address of the default gateway.
To save the configuration, use the following command:
save bootconfig standby <boot.cfg>
where:
boot.cfg is the name of the configuration file.
Note: If the save-to-standby flag is set to true, and you save a file to the
central processing unit (CPU) flash, the file is also saved to the standby
CPU flash.
For example, if a management station is located on the network of 11.0.0.0/

255.0.0.0, and the next hop to that network from the management interface is
10.127.231.1, enter the following command to set up the management port
correctly:
config bootconfig net mgmt route add 11.0.0.0/255.0.0.0

10.127.231.1
The value 11.0.0.0/255.0.0.0 represents the target subnet; the value 10.127.231.1
represents the gateway used to point to the target subnet.
Caution: This command uses the natural mask of the target subnet.
Therefore, using this example, what you implement is the command:
config bootconfig net mgmt route add 13.0.0.0 10.125.2.1
Additionally, this route does not appear in the routing table of the
Ethernet Routing Switch 8600 switch. If any 13.x.x.x networks are
learned or configured for output using the I/O modules, connectivity
issues can result.
313189-F Rev 00
The maximum number of static routes that can be added is four.
Setting security features

Use system security parameters to define login names and passwords for access to
the switch management functions and to specify the access methods, such as
through a Telnet session or through a Web browser.
You can use the CLI to set up passwords and community strings for access to all
the management functions of the switch.
For more information about the security features available in the Ethernet Routing
Switch software, see Configuring and Managing Security.
Enabling remote access services using CLI

To enable an access service from the Boot Monitor CLI, use the following
procedure:
1 While the switch is booting, press any key to interrupt the autoboot process.
2 Enable or disable the access service by using the following command:
flags <access-service> <true|false>
where:
• access-service is ftpd, rlogind, telnetd, tftpd, or sshd.

• true enables the access service.
• false disables the access service.
3 Enter save.
Getting Started
Configuring access service from the Run-Time CLI
To set up these access services from the Run-Time CLI, use the command:
config bootconfig flags <access-service> <true|false>
where:
• access-service is ftpd, rlogind, telnetd, tftpd, or sshd.

• true enables the access service.
• false disables the access service.
To save the state of the access services that you set up, use the following
command:
save bootconfig
Enabling Rlogin
When you enable an Rlogin flag using the command config bootconfig
rlogind flag true, you must configure an access policy and specify the name
of the user who can access the switch.
Configuration Example: configuring an access policy
Figure 10 shows sample output for configuring an access policy for Rlogin. The
sample shows the access-policy configuration required for the user “netadmin” to
Rlogin to the switch from 10.0.0.0/255.0.0.0 network. For more information about
configuring access policies, see Configuring and Managing Security (314724-E).
Figure 10 config sys access-policy command sample output
ERS-8606:5# config sys access-policy policy 3 create

ERS-8606:5# config sys access-policy policy 3 name "from subnet 10"
ERS-8606:5# config sys access-policy policy 3 username "netadmin"
ERS-8606:5# config sys access-policy policy 3 network 10.0.0.0/255.0.0.0
ERS-8606:5# config sys access-policy policy 3 service rlogin enable
ERS-8606:5#
313189-F Rev 00
Disabling a service
To disable one of the services on the switch, enter the following command:
config bootconfig flags <access-service> false
Note: When you enable or disable the flags, daemon behavior is changed
immediately. You need to save the boot configuration file and reboot the
system.
Monitoring the switch using Web management

The Ethernet Routing Switch includes a Web management interface that lets you
monitor your switch through a World Wide Web browser from anywhere on your
network. The Web interface provides many of the same monitoring features as the
Device Manager software.
For configuration requirements and instructions for installing the help files,
enabling the Web server using Device Manager, and accessing the Web interface,
see Configuring Network Management (314723-E).
Managing the switch using Device Manager

Device Manager is an SNMP-based graphical user interface (GUI) tool designed
to manage single devices. To use Device Manager, you must have network
connectivity to a management station running Device Manager in one of the
supported environments.
For instructions to install and start Device Manager, refer to Installing and Using
Device Manager (316341-D).
Getting Started
313189-F Rev 00
69
Chapter 4
Providing switch reliability
This chapter describes the switch reliability in the Ethernet Routing Switch.
Providing switch reliability

As system resources become more widely distributed, the reliability of network
nodes is even more important because it affects connectivity in the entire network.
Although software and hardware components of a node are reliable, they are still
prone to failures. Protecting the node from failure of any of its components makes
the node highly available.
Many high availability features are built in at all levels of the Ethernet Routing
Switch, including the following.
Hardware
• Hot-swappable Input/Output (I/O) modules
• Hot-swappable Service Delivery Modules (SDM)
Caution: All disk drives must be parked before you attempt to hot-swap
an SDM module!
• passive backplane
• Silicon Switch Fabric redundancy and load-sharing
• redundant fans and power supply units
Software
• Port-level and slot-level redundancy in the form of Link Aggregation
• Split Link Aggregation
Getting Started
70 Chapter 4 Providing switch reliability
• Split MulitLink Trunking (SMLT)

• Routed Split MultiLink Trunking (RSMLT)
• Basic Central Processing Unit (CPU) availability—warm standby
• High CPU availability—hot standby
• Router redundancy through Virtual Router Redundancy Protocol (VRRP)
For more information about Link Aggregation, see Configuring VLANs, Spanning
Tree, and Link Aggregation (314725-E).
If the primary SSF/CPU module fails, the backup SSF/CPU assumes the primary
role.
Note: During a CPU failover, do not hot swap I/O modules until the new
CPU becomes the master CPU.
You can configure CPU redundancy to provide either basic availability or high
availability.
In warm standby redundancy mode, if the primary CPU fails, the backup CPU
must initialize all input/output modules and load switch configurations, causing
delays and disrupting operations. In hot standby redundancy mode, both CPUs
maintain synchronized configuration and operational databases, enabling very
quick recovery and high availability.
If you enable high availability (HA) called “Layer 3 redundancy”, you

automatically disable all nonHA features, that is features that are not currently
supported by HA. For the 4.1 release, the following main features/protocols are
not supported:
•Dynamic multicast routing protocols (Distance Vector Multicast Routing

protocol [DVMRP], Protocol Independent Multicasting-Sparse Mode
[PIM-SM], Protocol Independent Multicasting-Source Specific Multicast
[PIM-SSM], Pragmatic General Multicast Protocol [PGM])
• Border Gateway Protocol (BGP)
313189-F Rev 00
Chapter 4 Providing switch reliability 71
When you enable HA, both the primary and backup CPUs synchronize their
database structures following initialization. After this complete table
synchronization, only topology changes are exchanged between the primary and
backup CPU.
Getting Started
72 Chapter 4 Providing switch reliability
313189-F Rev 00
73
Index
A copy 52
date 58
acronyms 20 directory 52
exit 60
B help 54
logout 60
Boot Monitor CLI
peer 59
help commands 54
ping 56
boot parameters, setting 49 pingipx 57
BootP (BootStrap Protocol) quit 60
using to boot the switch 50 save 54
setdate 58
C config bootconfig command 62
cable, serial 31 config sys commands 50
CLI configuration
Run-Time 30 saving 54
CLI commands connection, testing 56
config sys 50 connector, modem 32
copy 52 Console port
date 58 connecting 31
directory 52 interface description 31
exit 60 RS-232 port 31
file system 51 contact person, system 51
logout 60
peer 59 conventions, text 18
ping 56 copy command 52
pingipx 57 CPU, accessing standby 59
quit 60
setdate 58
D
comands
file system 51 date command 58
commands defaults
config bootconfig 62 login names and passwords 36
config sys 50 Device Manager
Getting Started
74 Index
requirements 67 N
directory command 52
name, system 50
E P
exit command 60
passwords
changing Web interface, using Device Manager
F 67
default 36
file system commands 51
peer command 59
files, copying 52
pin assignments, Modem port 32
H ping command, Boot Monitor CLI 56
pingipx command 57
help commands 54
protocol settings, terminal 31
Help, how to get 13
publications
hard copy 22
I
identification parameters, system 50 Q
IP address
question mark in the CLI 56
assigning 62
quit command 60
IPX connection, testing 57
L R
requirements
layer 2 CPU redundancy
Device Manager 67
hot standby 70
warm standby 70 RS-232 Console port 31
location, system 51 Run-Time CLI
accessing 30
login names
default 36
logout command 60 S
save command, Run-Time CLI 54
M save configuration 54
Management port 62 serial-port connection 30
messages setdate command 58
cold boot 50 standby CPU, accessing 59
warm boot 50 system identification 50
modem, connecting 32 system parameters, setting 51
313189-F Rev 00
Index 75
T
technical publications 22
Telnet access
opening from Device Manager 30
terminal protocol, setting 31
terminal, connecting 31
text conventions 18
V
virtual management port 62
W
Web interface
changing password for, using Device Manager
67
Getting Started
76 Index
313189-F Rev 00

313189-F 00

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

313189-F 00

Uploaded by

Copyright:

Available Formats

Part No.

4655 Great America Parkway

Copyright © 2006 Nortel Networks. All Rights Reserved

Restricted rights legend

Nortel software license agreement

How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Assigning an IP address to the management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Providing switch reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Figure 1 setup utility command sample output . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Table 1 Documents for preparing your Ethernet Routing Switch . . . . . . . . . . . . . . 25

How to get help

Finding the latest updates on the Nortel Web site

Link to Takes you directly to the

Latest software Nortel page for the Ethernet Routing Switch

Getting help from the Nortel Web site

• download software, documentation, and product bulletins

Getting help over the phone from a Nortel Solutions

In North America, call 1-800-4NORTEL (1-800-466-7835).

Getting help from a specialist by using an Express

Getting help through a Nortel distributor or reseller

Before you begin

• basic knowledge of networks, Ethernet bridging, and IP and IPX routing

italic text Indicates new terms, book titles, and variables in

AES Advanced Encryption Standard

OSPF Open Shortest Path First

Printed technical manuals

The 8660 SDM provides firewall security capabilities through an Ethernet

• “Accessing Ethernet Routing Switch documents” on page 25

Accessing Ethernet Routing Switch documents

Table 1 Documents for preparing your Ethernet Routing Switch

Document Title Description Part Number

Getting Started Overview of setup requirements 313189-F

Upgrading toEthernet Routing Switch Instructions for upgrading to 316674-C

System Messaging Platform A list of error messages from the 315015-E

Note: For additional configuration examples, refer to Technical

Using Ethernet Routing Switch documents during

• “Preparing for initial configuration”

Preparing for initial configuration

• Getting Started (313189-F).

Installing the Ethernet Routing Switch software and

2 Plan the details of your network configuration before continuing. A sample

1 Create the firewall clusters.

Configuring the firewall iSDs

1 Upgrade firewall iSD software, if necessary.

2 Initialize the firewall iSDs in each cluster.

Installing CheckPoint Management Server

Install the Checkpoint Management Server software as described in Firewall and

Note: The 15-day trial Checkpoint licenses must be upgraded to ensure

• “Connecting a terminal” on page 31

The Ethernet Routing Switch supports two CLIs:

• Boot Monitor CLI

Caution: Telnet, File transfer Protocol (FTP), Trivial File Transfer

To use the console port, you need the following equipment:

• A terminal or TTY-compatible terminal, or a portable computer with a serial

To connect a computer or terminal to the Console port:

1 Set the terminal protocol as follows:

To set up modem access, you need a DTE-to-DCE cable (straight or transmit

Table 2 DTE-to-DCE straight-through pin assignments

1 In the Run-Time CLI, enter the following command:

For information about the configuration requirements of your modem, refer to